There’s been a fair amount of discussion about Google’s move to improve security for Google Apps (which I wrote about yesterday) by introducing a form of two-factor authentication. The general consensus seems to be that, although there are various potential problems, as with any security scheme, on the whole this is a positive step.
One of the more interesting responses is a diary entry by Johannes Ulrich of the SANS Institute, at the Internet Storm Center. He talks a bit about Google’s offering, and compares it some other methods of two-factor authentication. One “traditional” approach, which I have used, gives each user a small electronic “token” that generates a one-time authentication code, either via a challenge-response protocol, or a clock-based generator. (RSA Data Security, now a part of EMC, makes a SecurID token that is an example of this technology.) The primary disadvantage of this method is cost; as Ullrich says, it works out to something like $50 per user, or perhaps more.
Ullrich describes some alternative methods of getting two-factor authentication “on the cheap”. One of these, which is used in the Google offering, is sending the user a one-time access code by means of an SMS message to the user’s cell phone. Another, also part of Google’s system, uses a software application on a mobile device as a token. There are potential drawbacks to both of these: for example, SMS messages are not necessarily reliable, and will not work if there is no cellular service available at a particular location.
Ullrich also describes a decidedly low-tech solution: providing each user with a pre-printed list of one-time passwords, which are crossed off as they are used. (I’ve used this technique in the past for very sensitive accounts.) This method has its problems, too, of course. For one thing, it puts one in the key distribution business, with the same problems as one-time pad cryptography. The user must be very careful not to lose the list, or leave it lying around, since it can be “hacked” with a copying machine. Nonetheless, it illustrates an important point: careful thought about the environment and the threat landscape means much more, in security terms, than whiz-bang technology.